The audit report objective was to assessment of 'the effectiveness of the Australian Government’s personnel security arrangements for mitigating insider threats'.
The Protective Security Policy Framework (PSPF) outlines a suite of requirements and recommendations to assist Australian Government entities to protect their people, information and assets. Personnel security, a component of the PSPF, aims to provide a level of assurance as to the eligibility and suitability of individuals accessing government resources, through measures such as conducting employment screening and security vetting, managing the ongoing suitability of personnel and taking appropriate actions when personnel leave. In 2014, the Attorney-General announced reforms to the PSPF to mitigate insider threats by requiring more active management of personnel risks and greater information sharing between entities. At the time of the audit, further PSPF reforms were being considered by the Government.
The Australian Government Security Vetting Agency (AGSVA) was established within the Department of Defence (Defence) from October 2010 to centrally administer security vetting on behalf of most government entities (with the exception of five exempt intelligence and law enforcement entities). Centralised vetting was expected to result in: a single security clearance for each employee or contractor, recognised across government entities; a more efficient and cost-effective vetting service; and cost savings of $5.3 million per year. ANAO Audit Report No.45 of 2014–15 Central Administration of Security Vetting concluded that the performance of centralised vetting had been mixed and expectations of improved efficiency and cost-effectiveness had not been realised. ...
The effectiveness of the Australian Government’s personnel security arrangements for mitigating insider threats is reduced by: AGSVA not implementing the Government’s policy direction to share information with client entities on identified personnel security risks; and all audited entities, including AGSVA, not complying with certain mandatory PSPF controls.
AGSVA’s security vetting services do not effectively mitigate the Government’s exposure to insider threats. AGSVA collects and analyses information regarding personnel security risks, but does not communicate risk information to entities outside the Department of Defence or use clearance maintenance requirements to minimise risk. Since the previous ANAO audit, AGSVA’s average timeframe for completing Positive Vetting (PV) clearances has increased significantly. AGSVA has a program in place to remediate its PV timeframes, and it has established a comprehensive internal quality framework. AGSVA plans to realise many process improvements through procuring a new information and communications technology (ICT) system, which is expected to be fully operational in 2023.
Selected entities’ compliance with PSPF personnel security requirements was mixed. While most entities had policies and procedures in place for personnel security, some entities were only partially compliant with the PSPF requirements to ensure personnel have appropriate clearances. None of the entities had fully implemented the PSPF requirements introduced in 2014 relating to managing ongoing suitability. In addition, entities did not always notify AGSVA when clearance holders leave the entity.It goes on to note that
AGSVA’s clearances do not provide sufficient assurance to entities about personnel security risks. A significant proportion of vetting assessments in 2015–16 and 2016–17 resulted in potential security concerns being identified, but the majority (99.88 per cent) of vetting decisions were to grant a clearance without additional risk mitigation. On rare occasions AGSVA minimised risk by denying the requested clearance level and granting a lower level, or avoided risk by denying a clearance. In some cases identified concerns, which were accepted by AGSVA on behalf of sponsoring entities, should have been communicated to entities or managed through clearance maintenance requirements.
AGSVA does not provide information about identified security concerns to sponsoring entities outside Defence due to a concern that disclosure would breach the Privacy Act 1988. The PSPF was revised in 2014 to require AGSVA to update its informed consent form to allow such disclosure to occur. Defence and AGD gave a commitment to Government in October 2016 that AGSVA would start sharing risk information in 2017–18. AGSVA updated its consent form in February 2017, but its revised form does not explicitly obtain informed consent to share information with entities. Consequently, AGSVA has not met the intent of the Government’s 2014 policy reform.
AGSVA’s information systems do not meet its business needs, which has resulted in inefficient processes and data quality and integrity issues. Defence is in the scoping and approval stages of a project to develop a replacement ICT system, which is expected to be fully operational in 2023. The audit included additional work on information security, which is the subject of a report prepared under section 37(5) of the Auditor-General Act 1997.